rand.go

     1  // Copyright 2010 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // Package rand implements a cryptographically secure
     6  // random number generator.
     7  package rand
     8  
     9  import (
    10  	"crypto/internal/boring"
    11  	"crypto/internal/fips140"
    12  	"crypto/internal/fips140/drbg"
    13  	"crypto/internal/sysrand"
    14  	"io"
    15  	_ "unsafe"
    16  )
    17  
    18  // Reader is a global, shared instance of a cryptographically
    19  // secure random number generator. It is safe for concurrent use.
    20  //
    21  //   - On Linux, FreeBSD, Dragonfly, and Solaris, Reader uses getrandom(2).
    22  //   - On legacy Linux (< 3.17), Reader opens /dev/urandom on first use.
    23  //   - On macOS, iOS, and OpenBSD Reader, uses arc4random_buf(3).
    24  //   - On NetBSD, Reader uses the kern.arandom sysctl.
    25  //   - On Windows, Reader uses the ProcessPrng API.
    26  //   - On js/wasm, Reader uses the Web Crypto API.
    27  //   - On wasip1/wasm, Reader uses random_get.
    28  //
    29  // In FIPS 140-3 mode, the output passes through an SP 800-90A Rev. 1
    30  // Deterministric Random Bit Generator (DRBG).
    31  var Reader io.Reader
    32  
    33  func init() {
    34  	if boring.Enabled {
    35  		Reader = boring.RandReader
    36  		return
    37  	}
    38  	Reader = &reader{}
    39  }
    40  
    41  type reader struct {
    42  	drbg.DefaultReader
    43  }
    44  
    45  func (r *reader) Read(b []byte) (n int, err error) {
    46  	boring.Unreachable()
    47  	if fips140.Enabled {
    48  		drbg.Read(b)
    49  	} else {
    50  		sysrand.Read(b)
    51  	}
    52  	return len(b), nil
    53  }
    54  
    55  // fatal is [runtime.fatal], pushed via linkname.
    56  //
    57  //go:linkname fatal
    58  func fatal(string)
    59  
    60  // Read fills b with cryptographically secure random bytes. It never returns an
    61  // error, and always fills b entirely.
    62  //
    63  // Read calls [io.ReadFull] on [Reader] and crashes the program irrecoverably if
    64  // an error is returned. The default Reader uses operating system APIs that are
    65  // documented to never return an error on all but legacy Linux systems.
    66  func Read(b []byte) (n int, err error) {
    67  	// We don't want b to escape to the heap, but escape analysis can't see
    68  	// through a potentially overridden Reader, so we special-case the default
    69  	// case which we can keep non-escaping, and in the general case we read into
    70  	// a heap buffer and copy from it.
    71  	if r, ok := Reader.(*reader); ok {
    72  		_, err = r.Read(b)
    73  	} else {
    74  		bb := make([]byte, len(b))
    75  		_, err = io.ReadFull(Reader, bb)
    76  		copy(b, bb)
    77  	}
    78  	if err != nil {
    79  		fatal("crypto/rand: failed to read random data (see https://go.dev/issue/66821): " + err.Error())
    80  		panic("unreachable") // To be sure.
    81  	}
    82  	return len(b), nil
    83  }
    84
View as plain text